Austrian spyware maker – Meczyki.Net . connects to

Microsoft has linked the exploits of several Windows and Adobe zero-day targeting organizations in Europe and Central America to a little-known Austrian spyware maker.

The technology giant’s threat intelligence and security response units have linked several cyberattacks to a threat actor known as “notweed,” according to Decision Supporting Information Research Forensics, or DSIRF, a Vienna-based intelligence-gathering company. known as. On its website, DSIRF says it was founded in 2016, but has more than two decades of experience “delivering data-driven intelligence to multinational corporations in the technology, retail, energy and financial sectors” as well as the Red Team. Claims to offer testing, where hackers are allowed to find and exploit security vulnerabilities during product testing.

Microsoft said in its report good It was revealed on Wednesday that Knotweed has been active since at least 2020 and has developed spyware — called SubZero — that allows its customers to remotely and silently break into a victim’s computers, phones, network infrastructure and Internet-connected devices. allows. Subzero is similar in functionality to NSO Group’s Pegasus and Candiru’s Devilstongue spyware, and is often used by governments to monitor journalists, activists and human rights defenders.

According to a copy of an internal presentation Netzpolitik. published by In 2021, the DSIRF advertises Subzero as a “next-generation cyber warfare” tool that can take full control of a target’s PC, steal passwords, and reveal its real-time location. The report claimed that the DSIRF, which reportedly has ties to the Russian government, advertised its tool for use during the 2016 US presidential election. The report said Germany was also considering the purchase and use of SubZero for use by its police and intelligence services.

Microsoft notes that as well as selling Subzero malware, DSIRF – aka Knotweed – was seen using its own infrastructure in some attacks, suggesting a more direct involvement in the targeting of victims, Including strategic consultations with law firms, banks and known. Victims in Austria, Panama and the United Kingdom.

But the technology giant said it has confirmed with a victim targeted by Subzero that they “did not commission any red teaming or penetration testing,” and that the activity was unauthorized and malicious.

According to the report, SubZero is distributed through multiple vectors, including several zero-day exploits in Windows and Adobe. This includes the recently patched CVE-2022-22047 The flaw, a bug in the Windows Client-Server Runtime Subsystem (CSRSS), could be used to gain a higher level of access to a victim’s device than a logged-in user. Microsoft said it has patched at least four zero-days used by DSIRF from 2021 onwards.

Knotweed also embedded malicious macros in Excel documents, including second-stage malware hidden inside a regular-looking but “unusually large” JPEG image disguised as a meme. Macros are a common way for malicious actors to deploy malware and ransomware, but were recently blocked by Microsoft in Office apps by default.

This “unusually large” JPEG is disguised as a second-stage malware that pulls the main spyware binary from the attackers’ command and control servers. Image Credits: Microsoft

When reached by phone, a DSIRF representative said they would provide Meczyki.Net with a response to Microsoft’s report, but a response was not provided by press time.

To protect against these attacks, Microsoft recommends that organizations patch CVE-2022-22047, keep antivirus software up to date, and enable multi-factor authentication.

The tech giant is also calling for more action against spyware makers, warning that DSIRF will not be the last cyber hack to come to light.

“We’re looking fast [private-sector offensive actors] Chris Goodwin, Microsoft’s general manager of digital security, said, “Selling your tools to authoritarian governments that act inconsistently with the rule of law and human rights norms, where they can be used by human rights advocates, journalists, dissidents and others involved in civil society.” to target.” Unit. “We welcome the attention of Congress to the risks and abuses that we all collectively face from the dishonest use of surveillance technologies and encourage regulation to limit their use in the United States and elsewhere around the world. Huh.”